What is claimed is: 

1 1. A method of improving security policy administration and enforcement using a role- 

2 permission model, comprising steps of: 

3 identifying one or more groups of permitted actions on selected resources; 

4 assigning a name to each identified group; 

5 defining each assigned name to a security system as a security object; and 

6 associating subjects.with each assigned name. 

1 *f[ 2, The method according to Claim 1, wherein the assigned name is a role name. 

iff 1 3. The method according to Claim 1 ? wherein the selected resources are executable methods. 

I'M 4. The method according to Claim 1, wherein the selected resources are columns of a 

2o database table. 

1 5. The method according to Claim 1 ? wherein the selected resources are rows of a database 

2 table. 

1 6. The method according to Claim 1, wherein the selected resources are files and the 

2 permitted actions are file access operations. 

1 7. The method according to Claim 1, wherein the selected resources are function calls to 
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functions of one or more executable programs. 



1 8. The method according to Claim 1, wherein the selected resources are Enterprise 

2 JavaBeans ( cc EJBs") and the permitted actions are methods on the EJBs. 



1 9. The method according to Claim 1, wherein the selected resources are servlets and the 

2 permitted actions are methods of the servlets. 

1 J 10. The method according to Claim 1, wherein the selected resources are Uniform Resource 

2 ,p Identifiers ( cc URIs") and the permitted actions are methods which reference the URIs. 

y s 

1 ^ 1 1 . The method according to Claim 1, wherein the selected resources are JavaServer Pages 

2jJ ("JSPs") and the permitted actions are methods referenced from the JSPs. 

W 

1 H 12. The method according to Claim 1 ? wherein the selected resources are any resource that is 

2 expressible to the security system and the permitted actions are selected from a set of actions that 

3 are permitted on those resources. 



1 13. The method according to Claim 1, further comprising the steps of: 

2 receiving an access request for a particular one of the selected resources; 

3 determining one or more roles which are required for accessing the particular resource; 

4 determining an identity of a source of the access request; 

RSW920010125US1 -28- 



5 for each of the required roles, until obtaining a successful result or exhausting the required 

6 roles, determining whether the identity of the source is associated with the required role; and 

7 authorizing access to the particular resource only if the successful result was obtained. 

1 14. The method according to Claim 13, wherein the step of determining the one or more roles 

2 further comprises consulting a collection created from the identified permitted actions on the 

3 particular resource. 

1 j J 15. A system for improving security policy administration and enforcement in a computing 

2 ;E network using a role-permission model, comprising: 

3 f l means for identifying one or more groups of permitted actions on selected resources; 

4 means for assigning a name to each identified group; 

5 'g means for defining each assigned name to a security system as a security object; and 
6 13 means for associating subjects with each assigned name. 

1 16. The system according to Claim 15, further comprising: 

2 means for receiving an access request for a particular one of the selected resources; 

3 means for determining one or more roles which are required for accessing the particular 

4 resource; 

5 means for determining an identity of a source of the access request; 

6 for each of the required roles, until obtaining a successful result or exhausting the required 

7 roles, means for determining whether the identity of the source is associated with the required 
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8 role; and 

9 means for authorizing access to the particular resource only if the successful result was 
10 obtained. 

1 17. A computer program product for improving security policy administration and 

2 enforcement in a computing network using a role-permission model, the computer program 

3 product embodied on one or more computer readable media and comprising: 

4 computer readable program code means for identifying one or more groups of permitted 

5 ,q actions on selected resources; 

6 s p computer readable program code means for assigning a name to each identified group; 

Ijjj 

If 1 computer readable program code means for defining each assigned name to a security 

8 system as a security object; and 

9 m computer readable program code means for associating subjects with each assigned name. 

1 ^ 18. The computer program product according to Claim 1 7, further comprising: 

2 computer readable program code means for receiving an access request for a particular 

3 one of the selected resources; 

4 computer readable program code means for determining one or more roles which are 

5 required for accessing the particular resource; 

6 computer readable program code means for determining an identity of a source of the 

7 access request; 

8 for each of the required roles, until obtaining a successful result or exhausting the required 
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9 roles, computer readable program code means for determining whether the identity of the source 

10 is associated with the required role; and 

1 1 computer readable program code means for authorizing access to the particular resource 

12 only if the successful result was obtained. 
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